[nsp] RE: OK I'm Stumped!!!!

Martinez, Edwin II (contractor) Martinee at eur.disa.mil
Sat Jun 5 13:49:41 EDT 2004


I would have to agree with Andrew's gut feeling, that it is MTU related.
However, it won't be that easy.

Are you using the "no ip unreachables" command or doing anything to block
icmp through your network? We ran into similar problems with users
complaining about accessing mail or surfing because our use of "no ip
unreachables" prevents the user from receiving ICMP messages that advise
their machines of the need to fragment packets, which also interferes with
Path MTU discovery.

If they are Microsoft users, there is a registry setting (EnablePMTUBHDetect
or PMTUBlackHoleDetect, depending on OS version) that will force their
systems to negotiate connections with an MTU that is < 600 bytes (which is
supposed to be either the max or near max acceptable values for dial-up
links).

Try the following MS Support Knowledge Base articles for more info: 156438,
314053 and 120642.

If it is ICMP-related, and you are blocking ICMP responses for security
reasons, I would hope that you opt for security and have your customers
change their config to access services as opposed to changing your posture.

Good luck.

Edwin Martinez II



More information about the cisco-nsp mailing list